Calgary, Alberta, Canada
sales@hackhalt.com
Free Download Free Download Free Download
Explore Pricing Explore Pricing Explore Pricing

Blog

"Prevention is cheaper than a breach"

Live Vulnerability Intelligence

Threat Database

Search CVEs, inspect descriptions, and open detail pages with AI-assisted technical context.

Total919
Critical919
High0
Medium0
Reset
Showing 301-320 of 919 records
Threat Entry Updated 2025-05-23

CVE-2025-32292 - WordPress Core

Deserialization of Untrusted Data vulnerability in AncoraThemes Jarvis – Night Club, Concert, Festival WordPress allows Object Injection. This issue affects Jarvis – Night Club, Concert, Festival WordPress: from n/a through 1.8.11.

CORE WordPress Core

CVE-2025-32292

CRITICAL CVSS 9.8 2025-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-23

CVE-2025-31914 - WordPress Core

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in kamleshyadav Pixel WordPress Form BuilderPlugin & Autoresponder allows Blind SQL Injection. This issue affects Pixel WordPress Form BuilderPlugin & Autoresponder: from n/a through 1.0.2.

CORE WordPress Core

CVE-2025-31914

CRITICAL CVSS 9.3 2025-05-23
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-4524 - Responsive And Modern Wordpress Theme For Manga Sites

The Madara – Responsive and modern WordPress theme for manga sites theme for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.2.2 via the 'template' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.

THEME Responsive And Modern Wordpress Theme For Manga Sites

CVE-2025-4524

CRITICAL CVSS 9.8 2025-05-21
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-4322 - Motors Theme

The Motors theme for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 5.6.67. This is due to the theme not properly validating a user's identity prior to updating their password. This makes it possible for unauthenticated attackers to change arbitrary user passwords, including those of administrators, and leverage that to gain access to their account.

THEME Motors

CVE-2025-4322

CRITICAL CVSS 9.8 2025-05-20
Open Full Technical Breakdown
Threat Entry Updated 2025-05-29

CVE-2025-39348 - Grand Restaurant Plugin

Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant WordPress allows Object Injection.This issue affects Grand Restaurant WordPress: from n/a through 7.0.

PLUGIN Grand Restaurant

CVE-2025-39348

CRITICAL CVSS 9.8 2025-05-19
Open Full Technical Breakdown
Threat Entry Updated 2025-06-09

CVE-2025-32926 - Grand Restaurant Plugin

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ThemeGoods Grand Restaurant WordPress allows Path Traversal.This issue affects Grand Restaurant WordPress: from n/a through 7.0.

PLUGIN Grand Restaurant

CVE-2025-32926

CRITICAL CVSS 9.8 2025-05-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-47581 - WordPress Core

Deserialization of Untrusted Data vulnerability in Elbisnero WordPress Events Calendar Registration & Tickets allows Object Injection.This issue affects WordPress Events Calendar Registration & Tickets: from n/a through 2.6.0.

CORE WordPress Core

CVE-2025-47581

CRITICAL CVSS 9.8 2025-05-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-21

CVE-2025-47582 - WordPress Core

Deserialization of Untrusted Data vulnerability in QuantumCloud WPBot Pro Wordpress Chatbot allows Object Injection.This issue affects WPBot Pro Wordpress Chatbot: from n/a through 12.7.0.

CORE WordPress Core

CVE-2025-47582

CRITICAL CVSS 9.8 2025-05-19
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2025-4391 - Echo Rss Feed Post Generator Plugin

The Echo RSS Feed Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the echo_generate_featured_image() function in all versions up to, and including, 5.4.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Echo Rss Feed Post Generator

CVE-2025-4391

CRITICAL CVSS 9.8 2025-05-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-19

CVE-2025-4389 - Crawlomatic Multipage Scraper Post Generator Plugin

The Crawlomatic Multipage Scraper Post Generator plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the crawlomatic_generate_featured_image() function in all versions up to, and including, 2.6.8.1. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Crawlomatic Multipage Scraper Post Generator

CVE-2025-4389

CRITICAL CVSS 9.8 2025-05-17
Open Full Technical Breakdown
Threat Entry Updated 2025-05-28

CVE-2024-8673 - Before 1 Plugin

The Z-Downloads WordPress plugin before 1.11.7 does not properly validate uploaded files allowing for the uploading of SVGs containing malicious JavaScript.

PLUGIN Before 1

CVE-2024-8673

CRITICAL CVSS 9.1 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-05

CVE-2024-6809 - Simple Video Directory Plugin

The Simple Video Directory WordPress plugin before 1.4.3 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection.

PLUGIN Simple Video Directory

CVE-2024-6809

CRITICAL CVSS 9.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-06-11

CVE-2024-6159 - Push Notification For Post And Buddypress Plugin

The Push Notification for Post and BuddyPress WordPress plugin before 1.9.4 does not properly sanitise and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection

PLUGIN Push Notification For Post And Buddypress

CVE-2024-6159

CRITICAL CVSS 9.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-4564 - Ticketbai Facturas Para Woocommerce Plugin

The TicketBAI Facturas para WooCommerce plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation via the 'delpdf' action in all versions up to, and including, 3.18. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php).

PLUGIN Ticketbai Facturas Para Woocommerce

CVE-2025-4564

CRITICAL CVSS 9.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-05-16

CVE-2025-3917 - Baiduseo Plugin

The 百度站长SEO合集(支持百度/神马/Bing/头条推送) plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the download_remote_image_to_media_library function in all versions up to, and including, 2.0.6. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Baiduseo

CVE-2025-3917

CRITICAL CVSS 9.8 2025-05-15
Open Full Technical Breakdown
Threat Entry Updated 2025-08-12

CVE-2025-3623 - Uncanny Automator Plugin

The Uncanny Automator plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 6.4.0.1 via deserialization of untrusted input in the automator_api_decode_message() function. This makes it possible for unauthenticated to inject a PHP Object. The additional presence of a POP chain allows attackers to delete arbitrary files.

PLUGIN Uncanny Automator

CVE-2025-3623

CRITICAL CVSS 9.1 2025-05-14
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2025-4403 - Drag And Drop Multiple File Upload For Woocommerce Plugin

The Drag and Drop Multiple File Upload for WooCommerce plugin for WordPress is vulnerable to arbitrary file uploads in all versions up to, and including, 1.1.6 due to accepting a user‐supplied supported_type string and the uploaded filename without enforcing real extension or MIME checks within the upload() function. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Drag And Drop Multiple File Upload For Woocommerce

CVE-2025-4403

CRITICAL CVSS 9.8 2025-05-09
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2025-3605 - Frontend Login And Registration Blocks Plugin

The Frontend Login and Registration Blocks plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.0.7. This is due to the plugin not properly validating a user's identity prior to updating their details like email via the flr_blocks_user_settings_handle_ajax_callback() function. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

PLUGIN Frontend Login And Registration Blocks

CVE-2025-3605

CRITICAL CVSS 9.8 2025-05-09
Open Full Technical Breakdown
Threat Entry Updated 2025-05-12

CVE-2024-11617 - Envolve Plugin

The Envolve Plugin plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the 'zetra_languageUpload' and 'zetra_fontsUpload' functions in all versions up to, and including, 1.0. This makes it possible for unauthenticated attackers to upload arbitrary files on the affected site's server which may make remote code execution possible.

PLUGIN Envolve

CVE-2024-11617

CRITICAL CVSS 9.8 2025-05-09
Open Full Technical Breakdown
Scroll to top